Different content permissions for dev vs production

Webpack provides some guidance on different sourcemap options for development vs production, specifically:

  • eval* options for development (e.g. eval-source-map)
  • source-map option for production

For an app that bundles its Custom UI with webpack this means that, during development, for eval-source-map to work the Forge manifest must include:

      - 'unsafe-eval'

However for production, it would be preferable to not allow unsafe script evaluation.

Is there a recommended technique for specifying different CSP settings for a Forge app for development vs production?

Currently the only choice seems to be either:

  1. Use ‘production’ source map settings in development (slower dev rebuilds), or
  2. Allow unsafe-eval in production (less secure)
1 Like

Hi @scottohara! Thanks for the question.

Currently, there is no way to specify environment specific permissions, instead they are always app specific. You should however be able to freely update the manifest.yml to remove and add the required CSP’s for your desired webpack devtool configuration, depending on the intended deployment environment.

I hope this helps. If you have any follow up questions please reach out.